SSLv3 Disabled Due to POODLE Bug

A new vulnerability in SSL version 3.0 (SSLv3) and they call it POODLE (Padding Oracle On Downgraded Legacy Encryption). The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol.

Who does this affect?

SSLv3 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.

However, the only group of users who will be seriously affected by this bug is those who are still using Internet Explorer 6 on Windows XP (both are already at their End of Life).

Our Response

We will be disabling SSLv3 across all of our servers as this is a serious vulnerability with no patch in sight (as SSLv3 is very old) and most web browsers will be dropping support for SSLv3 after this POODLE incident anyway.

If you receive any complaints from your website visitors who are affected by the decision to disable SSLv3, we highly recommend that you suggest them to stop using Internet Explorer 6 and switch to a modern browser like Google Chrome, Firefox, Safari or more recent version of Internet Explorer.